v1.9.3 — Smarter Agents, Safer Company Configuration, and Better Workspace Tools

What's New

Smarter Agent Memory and Follow-up Tracking

Agents now manage their active work through a structured Focus system instead of relying on loose workspace notes. This makes reminders, follow-ups, recurring triggers, and ongoing tasks easier to understand and more reliable across sessions.

The Aware page has also been improved to show active work, system focus items, completed items, and related triggers in a clearer way.

Safer Company and Agent Permissions

Agent visibility and access control are now more explicit. Companies can better distinguish between company-wide agents, private agents, and custom-access agents.

This improves privacy for personal agents while still allowing company admins to manage shared agents appropriately.

Company Tool Settings Are Now Properly Isolated

Company-level tool configuration is now scoped to the current company. A newly created company will no longer appear to inherit API keys or configured states from another company.

This affects tools such as AgentBay, Smithery, Tavily, Vertex image generation, and other company-configured tools.

Better Talent Market Creation Flow

Creating a new digital employee from the dashboard now opens the Talent Market experience directly instead of sending users to the older creation page.

The new creation flow also supports clearer setup paths for platform-hosted agents and connected external agents.

Custom Image Generation API Support

A new image generation tool is available for custom API gateways. Companies can configure an API key, base URL, and model, then use it to generate images through providers such as TokenRouter, OpenRouter, or other OpenAI-compatible gateways.

Advanced request settings are available but hidden by default, so most users only need to fill in the core connection information.

Better AgentBay Code Sandbox File Operations

Agents now have dedicated tools for reading, writing, and editing files inside the AgentBay Code Sandbox.

This makes coding tasks in AgentBay more natural and reduces confusion between files in the Clawith workspace and files inside the AgentBay sandbox.

Improved Workspace File Experience

Workspace files are easier to work with:

Code files such as Python, TypeScript, JavaScript, CSS, YAML, shell scripts, Dockerfiles, and config files can now be previewed directly.
Workspace files and folders can be moved or renamed more reliably.
File preview, download, upload, and folder creation actions have been polished.
Markdown image previews now support larger preview and download interactions.

More Reliable MCP Discovery and Installation

MCP discovery and installation now use company-level Smithery and ModelScope settings more reliably. If a company key is already configured, agents should no longer unnecessarily ask the user to provide another key.

The MCP installer guidance has also been cleaned up and moved to the newer skill location.

Relationship and Plaza Visibility Improvements

Private and restricted agents are now handled more carefully in Plaza and relationship views. Company-wide social surfaces only show appropriate company-visible agents, helping prevent private agents from appearing where they should not.

General UX and Reliability Polish

This release includes improvements across onboarding, login/setup flows, model selection, tool configuration dialogs, workspace interactions, and document conversion reliability.

Upgrade Guide

Database migration required. Run migrations before restarting production services.

Docker Deployment

git pull origin main

docker exec clawith-backend-1 alembic upgrade heads

docker compose down
docker compose up -d --build

Source Deployment

git pull origin main

cd backend
alembic upgrade heads
cd ..

cd frontend
npm install
npm run build
cd ..

./restart.sh

Kubernetes / Helm

helm upgrade clawith helm/clawith/ -f values.yaml

Then run the database migration job or equivalent backend command:

alembic upgrade heads

Upgrade Notes

Review company tool settings after upgrade, especially API keys for AgentBay, Smithery, Tavily, image generation, and MCP discovery tools.
Company-level built-in tool configuration is now company-scoped. This fixes cross-company configuration leakage, but admins may need to re-save settings for each company if they were relying on old shared values.
Agent Focus is now stored in structured system storage. Existing focus.md content is treated as legacy data and can be migrated into the new Focus system when accessed.
Private and custom-access agents now have stricter visibility behavior in Plaza and relationship features.
If you use custom image generation gateways, configure the new “Generate Image (Custom API)” tool at the company or agent level before use.

v1.9.2 — Workspace Governance, Tool UX & Token Cache Accounting

What's New

Enterprise Info & Workspace Governance

Shared enterprise_info/ workspace area now appears as tenant-level company context for agents and users.
Agent-side enterprise info is read-only: agents can list and read company context, but cannot create, edit, or delete shared enterprise files.
Admin-managed enterprise knowledge base: platform and org admins can update enterprise info while regular users and agents are protected from accidental modification.
Legacy task files no longer appear in new agent workspaces: new agents no longer receive todo.json / tasks.json; existing tasks.json files remain supported as legacy snapshots.
Workspace file handling polish improves preview/download behavior for shared enterprise files and preserves read-only boundaries.

Agent Management & Permissions

Company admins can manage company-visible agents even when those agents were created by regular users.
Private user-only agents remain private to their creator.
Agent permission APIs now return effective management capability, so the UI can distinguish creator ownership from admin management rights.
Start, stop, and permission update actions now use effective manager permission instead of creator-only checks.

Tool Management Experience

Agent and company tool lists now share a cleaner grouped UI with category headers, search, status filters, counts, and bulk toggles.
Tool categories are easier to scan and can be expanded only when needed, reducing very long tool-list pages.
Per-tool emoji icons were removed from the main list in favor of calmer category icons and compact labels.
Update Objective is now a global default tool, so newly created employees have the OKR objective update capability enabled by default.
Tool loading now avoids exposing disabled or agent-only tools to the LLM fallback path.

Chat & Agent UX

New and existing chat sessions focus the composer automatically, so users can type immediately after opening a session.
Existing sessions open at the latest message more reliably.
Expanded tool chains now keep following the bottom only while appropriate: if the user scrolls up intentionally, new tool updates no longer force the viewport back down.
Duplicate assistant avatars after a tool-chain block were removed for a cleaner transcript.
Tool-chain copy was refined from "Ran X agents" to clearer activity language.
Agent expiry quick-renew buttons now show selected state.
The dashboard's secondary "New Digital Employee" button was removed; creation remains available from the sidebar entry point.

Token Accounting & Cache Visibility

Token usage tracking now records input, output, estimated, cache-read, and cache-creation token counters.
Agent stats expose cache hit information for providers that return cache usage.
Qwen / Alibaba Bailian compatible calls now support provider-specific prompt cache control while preserving stable prompt prefixes.
Daily and monthly token reset logic now resets cache counters alongside total token counters.

Prompting, Webpage Generation & Tool Reliability

Default webpage/rich-document style guidance moved into the system prompt, reducing repeated tool-description text while keeping generated pages visually consistent.
Agent-facing reply guidelines now discourage emoji-heavy normal replies.
Web search instructions now refer to currently enabled tools instead of hardcoding unavailable tool names.
Tool-call execution now blocks disabled tool names and asks the model to retry malformed JSON tool arguments cleanly.
HTML-to-PDF and HTML-to-PPT conversion descriptions and parameters were expanded for higher-fidelity Chrome-based rendering.
Restart script now starts backend and frontend as detached daemons, avoiding local dev servers exiting after the restart command completes.

Upgrade Guide

Database migration required. Run alembic upgrade heads before restarting application services.

This release adds or updates schema/data defaults for:

agent cache token counters
daily token usage input/output/cache/estimated counters
default agent TTL changing to permanent (0)
default daily LLM call limit changing to 1000

Docker Deployment

git pull origin main

# Run database migrations
docker exec clawith-backend-1 alembic upgrade heads

# Rebuild and restart services
docker compose down && docker compose up -d --build

Source Deployment

git pull origin main

# Run database migrations
cd backend && alembic upgrade heads
cd ..

# Rebuild frontend
cd frontend && npm install && npm run build
cd ..

# Restart backend / frontend services

Kubernetes / Helm

helm upgrade clawith helm/clawith/ -f values.yaml
# Run migration job / command: alembic upgrade heads

Notes

enterprise_info/ is now shared tenant context. Review who has platform or org admin roles, because only admins should update those shared files.
New agents are permanent by default. If your deployment requires expiring agents, set tenant/user TTL defaults explicitly after migration.
Token cache counters depend on provider usage payloads. Providers that do not return cache fields will continue to show zero cache usage.
Existing legacy tasks.json files are preserved, but new agents will not get todo.json or tasks.json automatically.
If you run from source, use the updated restart.sh or your own process manager to keep frontend/backend processes detached.

v1.9.1 — Talent Market, Per-User Onboarding & Template Automation

What's New

Talent Market & Agent Templates

Talent Market added to the hiring flow, letting teams browse, compare, and hire curated agents directly from the product UI
Folder-based template loader for agent templates, making template packaging and rollout more maintainable
19 new curated templates across business, engineering, content, and trading scenarios, including:
- backend architect, chief of staff, code reviewer, content creator, devops automator, frontend developer, growth hacker, rapid prototyper, SEO specialist, TikTok strategist, LinkedIn content creator
- macro watcher, market intel aggregator, technical analyst, pre-market briefer, watchlist monitor, risk manager, trading journal coach, tilt-bias coach, COT report analyst, earnings/filings analyst
Trading-focused built-in skills added for market data and financial calendar workflows
Post-hire settings now supported, so newly hired agents can be configured immediately after creation

Per-User Onboarding & Default Model Experience

Per-(user, agent) onboarding introduced, so onboarding runs once per user-agent relationship instead of once per agent globally
Two-turn onboarding ritual added for newly hired or newly contacted agents: a focused introduction followed by an immediate deliverable
Onboarding backfill logic prevents historical agent-user pairs from being re-onboarded after upgrade
Tenant default LLM model support added, including backend APIs and frontend selection flows
Model switcher UI added and refined to better reflect tenant and agent defaults during chat

Template Automation & MCP Provisioning

Template-defined default MCP servers can now auto-install when an agent is created
Template default skills merging improved so agent creation preserves template-defined skills alongside platform defaults
Template bootstrap metadata added, including capability bullets and bootstrap content for richer cards and onboarding prompts

Chat, Workspace & UX Improvements

Workspace switcher added to agent chat and detail flows for faster context switching
Clawith-styled modal and toast system replaces native browser dialogs in key frontend flows
Agent chat and workspace interactions polished for smoother file and panel operations
Agent creation flow improved with better structure and clearer template-driven setup
Company logo settings added to the admin/company experience
Company region picker added to enterprise settings
Agent detail, layout, enterprise settings, and admin company pages received usability and visual refinements

Localization & Marketplace Readiness

Locale-aware greeting behavior added for hired agents
Chinese translations and template localization expanded across Talent Market and onboarding experiences
Hardcoded English copy removed from key hire/onboarding paths to improve multilingual consistency

Platform & Integration Enhancements

WeChat channel support completed in the mainline release path
Webpage tools enhanced for richer browsing and page interaction workflows
Smithery/MCP tool discovery and invocation made more resilient with live schema override behavior and improved request headers

Optimizations & Fixes

Onboarding performance optimization: the greeting turn now skips the full tool list, significantly reducing prompt size on first contact
Onboarding stability fixes: prevents ritual leakage into later sessions and avoids duplicate/late onboarding triggers
Model picker fixes: better default syncing, improved dropdown positioning, and clipping fixes
Channel user identity reuse and outbound routing fixed for more reliable cross-channel delivery
Agent creation fixes: template skills and auto-installed MCP tools now attach more consistently
Migration graph fixes: release migrations were stabilized and merged to avoid broken multi-head upgrade paths
UI polish fixes across chat panels, dialogs, agent cards, and company branding

v1.9.1 — Upgrade Guide

Database migration required. Run alembic upgrade heads before restarting application services.

This release introduces new schema changes in the v1.9.0..main range, including:

tenants.default_model_id
agent_user_onboardings
agent_templates.capability_bullets
agent_templates.bootstrap_content
agent_templates.default_mcp_servers
release-head merge migration cleanup

Docker Deployment (Recommended)

git pull origin main

# Run database migrations
docker exec clawith-backend-1 alembic upgrade heads

# Rebuild and restart services
docker compose down && docker compose up -d --build

Source Deployment

git pull origin main

# Run database migrations
cd backend && alembic upgrade heads
cd ..

# Rebuild frontend
cd frontend && npm install && npm run build
cd ..

# Restart backend / frontend services

Kubernetes (Helm)

helm upgrade clawith helm/clawith/ -f values.yaml
# Run migration job / command: alembic upgrade heads

Notes

Existing user-agent pairs are automatically backfilled into agent_user_onboardings, so established conversations should not be re-onboarded after upgrade.
If your deployment provisions agents from templates, review any template metadata that now uses bootstrap_content, capability_bullets, or default_mcp_servers.
If you rely on tenant-scoped model management, validate the new default model selection in Company / Enterprise settings after migration.
New template-driven MCP auto-install flows require a valid Smithery/system MCP configuration in environments that use those templates.

What's New in v1.9.0

This is a major release introducing the OKR management system, real-time workspace collaboration, new channel integrations, and critical security hardening.

🎯 OKR Management System

A full-featured OKR engine built on top of the multi-agent platform:

OKR Data Model & API — Complete CRUD for Objectives and Key Results, including a company-level OKR dashboard
Auto-provisioned OKR Agent — When a tenant enables OKR for the first time, a dedicated OKR Agent is automatically created
Daily Collection & Reporting — The OKR Agent sends daily progress check-ins to members via A2A, aggregates responses, and generates company-level reports; automatically skips non-business days
Nudge Members — Proactively reminds members who haven't submitted OKR updates; supports relationship-network-based member filtering
KR Content Update Tool — Agents can directly call a tool to update KR progress content
OKR Settings Page — New dedicated OKR tab in Enterprise Settings for toggling, cadence configuration, and report trigger management
Missing OKR Members Panel — Displays members who haven't filled in OKRs, with source annotations

🤝 Agent-to-Agent (A2A) Enhancements

Three message types — notify, consult, and task_delegate; agents automatically select the appropriate type based on semantics
Tenant-level async toggle — a2a_async_enabled moved from Agent level to Tenant level; configure once in Enterprise Settings
A2A session visibility — A2A replies are mirrored to shared sessions; users can view agent-to-agent conversations in the "Other Users" tab
User-friendly notifications — Task delegation generates readable notification titles, filtering out internal jargon

🗂️ Workspace Collaboration

Rich file preview — Sidebar preview for images, HTML, PDF, Markdown, and more
Preview lock — Users can lock the current preview to prevent auto-switching when agents write files
Streaming draft parameters — Real-time streaming display of draft parameters during tool calls
File deletion confirmation — Confirmation prompt before deleting a previewed file
Auto-archive generated documents — Agent-generated documents are automatically organized into corresponding folders
Hover delete button — Workspace file list shows a delete button on hover

📡 New Channel Integrations

WeChat (微信) — New WeChat Work channel integration
WhatsApp — New WhatsApp channel integration
Google Workspace — New Google Workspace integration with proxy configuration and UI improvements
DingTalk rich media — Added support for image, file, audio, and video message types in DingTalk

🛠️ New Agent Tools

Format conversion tools — Built-in tools for Word / Excel / PPT / PDF conversion
Feishu document search — Agents can search Feishu document libraries via tool call
Platform message priority routing — Messages from platform users are preferentially sent via send_platform_message

💬 Chat & Session Improvements

Primary Session — Platform users now have a dedicated primary session entry with unread badge support
Hash routing — Agent detail page supports hash anchor navigation to jump directly to a specific tab

🔒 Security Hardening

4 critical vulnerabilities patched (#246):
- Unauthenticated API key generation endpoint
- LLM API keys stored in plaintext — now AES-256 encrypted
- Production startup allowed with default JWT secret — now blocked unless DEBUG=true
- Multi-tenant isolation gaps in permission checks and Plaza API
Stronger execute_code sandbox — Enhanced bwrap isolation for the code execution tool
Removed plaintext credential fields — Plaintext website password fields removed from credential storage

⚡ Performance

Session list N+1 query fix (#410) — Replaced 1+2N per-session queries with 3–4 bulk queries regardless of session count
A2A wake reflection limit — Reflection sessions capped at 2 tool-call rounds to prevent resource waste

🐛 Bug Fixes

Fixed backend startup hang during database bootstrap
Fixed Feishu WebSocket duplicate connection causing "kicked by new connection" errors
Fixed Feishu streaming cards, structured errors, and migration robustness (#444)
Fixed approvals tab crash on non-array responses (#422)
Fixed missing ensure_identity_provider in registration flow (#469)
Fixed chat page scroll regression
Fixed model configuration not taking effect in real time
Fixed fallback LLM not activating when primary LLM errors
Added rate-limit protection to DingTalk org sync API
Fixed tool call message pairs (assistant + tool) being broken apart (#416)
Fixed malformed JSON arguments in write_file tool calls (#212)
Fixed user profile update not persisting correctly in PATCH /auth/me (#213)
Fixed org member identity mapping for sync and SSO (#404)

Upgrade Guide

Database migration required. This release includes multiple schema changes. Run alembic upgrade head before starting the new version.

⚠️ Breaking Changes — Read Before Upgrading

1. a2a_async_enabled moved from Agent to Tenant level
The migration script automatically sets the tenant-level flag to FALSE. After upgrading, reconfigure in Enterprise Settings → Company Info → A2A Async if you had this enabled per-agent.

2. send_web_message tool renamed to send_platform_message
Any Agent soul.md files that reference send_web_message must be updated manually. The old name will not be recognized.

3. Plaintext credential fields removed
The website_password and related plaintext fields have been dropped from the agent_credentials table. Back up your credentials before running migrations. After upgrading, re-enter credentials through the UI.

4. JWT secret enforcement in production
If your deployment uses the default SECRET_KEY=change-me, the backend will now refuse to start unless DEBUG=true. Set a strong secret in your .env before upgrading production.

Docker Deployment (Recommended)

# 1. Pull latest code
git pull origin main

# 2. Run database migrations (before restarting)
docker exec clawith-backend-1 alembic upgrade head

# 3. Rebuild and restart all services
docker compose down && docker compose up -d --build

Large datasets: The chat message index migration (#411) may take several minutes on tables with millions of rows. Run it during a maintenance window and monitor progress with:
docker exec clawith-backend-1 alembic current

Source Deployment

# 1. Pull latest code
git pull origin main

# 2. Install new backend dependencies
cd backend && pip install -e ".[dev]"

# 3. Run database migrations
alembic upgrade head

# 4. Rebuild frontend
cd ../frontend && npm install && npm run build

# 5. Restart backend
# (use your process manager: systemd, supervisor, etc.)

Kubernetes (Helm)

# 1. Update chart values if needed (new env vars: see Notes below)
vim values.yaml

# 2. Run migration job before rolling out new pods
kubectl exec -n <namespace> deploy/clawith-backend -- alembic upgrade head

# 3. Roll out new image
helm upgrade clawith helm/clawith/ -f values.yaml

Post-Upgrade Checklist

Verify backend starts without errors (docker logs clawith-backend-1)
Confirm SECRET_KEY is set to a non-default value in production
Re-enter any credentials that used plaintext fields (Agent Credentials page)
Update Agent soul.md files: replace send_web_message → send_platform_message
If A2A Async was in use: re-enable in Enterprise Settings → Company Info
New channels (WeChat, WhatsApp, Google Workspace): configure credentials in Enterprise Settings → Channels
OKR feature is off by default — enable in Enterprise Settings → OKR when ready

New Environment Variables

No new required environment variables. Optional additions:

Variable	Default	Description
`DEBUG`	`false`	Must be `true` to allow default JWT secret in dev

Notes

OKR features are disabled by default. Enabling them auto-creates a dedicated OKR Agent for the tenant.
WeChat, WhatsApp, and Google Workspace channels each require separate credential setup in Enterprise Settings before use.
The a2a_async_enabled column on the agents table has been removed; the flag now lives on the tenants table.

Bug Fixes

A2A Chat History Fixes

A2A session now shows both sides of the conversation: when a target agent is woken via notify or task_delegate, its reply is now mirrored into the shared A2A chat session so the full conversation is visible in the admin Other Users tab
Removed hardcoded 2-round tool call limit for A2A wake invocations: agents were hitting the limit before completing basic tasks; they now use their own configurable max_tool_rounds setting (default 50)
Fixed message loading order: sessions with many messages (e.g. long-running A2A threads) were only showing the oldest 500 messages; now correctly loads the most recent 500

Full changelog: see RELEASE_NOTES.md

What's New

Agent-to-Agent (A2A) Async Communication — Beta

Three communication modes for send_message_to_agent:
- notify — fire-and-forget, one-way announcement
- task_delegate — delegate work and get results back asynchronously via on_message trigger
- consult — synchronous question-reply (original behaviour)
Feature flag: controlled at the tenant level via Company Settings → Company Info → A2A Async toggle (default: OFF)
When disabled, the msg_type parameter is hidden from the LLM so agents only see synchronous consult mode
Security: chain depth protection (max 3 hops), regex filtering of internal terms, SQL injection prevention
Performance: async wake sessions limited to 2 tool rounds

Multimodal Image Context

Base64 image markers are now persisted to the database at write time
Chat UI correctly strips [image_data:] markers and renders thumbnails
Fixed chat page vertical scrolling (flexbox min-height: 0 constraint)
Removed deprecated /agents/:id/chat route

Search Engine Tools

New Exa Search tool — AI-powered semantic search with category filtering
New standalone search engine tools: DuckDuckGo, Tavily, Google, Bing (each as own tool)

UI Improvements

Drag-and-drop file upload across the application
Chat sidebar polish: segment control, session items styling
Agent-to-agent sessions now visible in the admin "Other Users" tab

Bug Fixes

DingTalk org sync rate limiting to prevent API throttling
Tool seeder: parameters_schema now correctly included in new tool INSERT
Unified msg_type enum references across codebase
Docker access port corrected to 3008

Upgrade Guide

Database migration required. Run alembic upgrade heads to add the a2a_async_enabled column.

Docker Deployment (Recommended)

git pull origin main

# Run database migration
docker exec clawith-backend-1 alembic upgrade heads

# Rebuild and restart
docker compose down && docker compose up -d --build

Source Deployment

git pull origin main

# Run database migration
alembic upgrade heads

# Rebuild frontend
cd frontend && npm install && npm run build
cd ..

# Restart services

Kubernetes (Helm)

helm upgrade clawith helm/clawith/ -f values.yaml
# Run migration job for a2a_async_enabled column

Notes

The A2A Async feature is disabled by default. No behaviour changes until explicitly enabled.
The a2a_async_enabled column defaults to FALSE, so existing tenants are unaffected.

v1.8.2 Release Notes

What's New

Security

Fix account takeover via username collision (#300): Prevents an attacker from creating an account with a username matching an existing SSO user's email, which could lead to unauthorized account access.
Fix duplicate user creation on repeated SSO logins: Feishu and DingTalk SSO now correctly reuse existing accounts instead of creating duplicate users.

AgentBay — Cloud Computer & Browser Automation

New: agentbay_file_transfer tool: Transfer files between any two environments — agent workspace, browser sandbox, cloud desktop (computer), or code sandbox — in any direction.
Fix: Computer Take Control (TC) white screen: TC now connects to the correct environment session (computer vs. browser) based on env_type. Previously, an existing browser session could hijack the computer TC connection.
Fix: OS-aware desktop paths: The agentbay_file_transfer tool description now automatically reflects the correct paths for the agent's configured OS type:
- Windows: C:\Users\Administrator\Desktop\
- Linux: /home/wuying/Desktop/
Fix: Desktop file refresh: After uploading to the Linux desktop directory, GNOME is notified to refresh icon display.
Multiple Take Control stability fixes: CDP polling replaced with sleep, multi-tab cleanup, 40s navigate timeout, unhashable type errors.

Feishu (Lark) — CardKit Streaming Cards

Feishu bot responses now stream as animated typing-effect cards using the CardKit API (#287).
Fixed SSE stream hang issues and websocket proxy bypass for system proxy conflicts.

WeCom (Enterprise WeChat) Integration

WeCom features are currently hidden behind a prerequisites notice (pending enterprise approval setup).
Backend: Full org sync, domain verification endpoint, dual-credential architecture for API access.
nginx: Added WW_verify_*.txt routing for WeCom domain ownership verification.

DingTalk & Organization Sync

Fixed DingTalk org sync permissions guide (Contact.User.Read scope).
Fixed open_id vs employee_id user type handling in Feishu org sync.

Other Bug Fixes

Fix: SSE stream protection — finish_reason break guard added for OpenAI and Gemini streams to prevent runaway streams.
Fix: Duplicate tool send_feishu_message — Removed duplicate DB entry; added dedup guard in tool loading to prevent Tool names must be unique LLM errors.
Fix: JWT token not consumed on reset-password and verify-email routes.
Fix: NULL username/email for SSO-created users in list_users.
Fix: Company name slug generation — Added anyascii + pypinyin for universal CJK/Latin transliteration.
Fix: publish_page URL — Correctly generates try.clawith.ai links on source deployments.
Fix: Agent template directory — Dynamic default for source deployments.
Various i18n fixes (TakeControlPanel, WeCom, DingTalk guide).

Upgrade Guide

No database migrations required. No new environment variables.

Docker Deployment (Recommended)

git pull origin main
docker compose down && docker compose up -d --build

Important: If your server does not have Node.js/npm, the frontend must be built locally and uploaded, or installed via nvm (see note below).

Source Deployment

git pull origin main

# Install new Python dependency
pip install anyascii>=0.3.2

# Rebuild frontend
cd frontend && npm install && npm run build
cd ..

# Restart services

nginx Update Required

A new routing rule for WeCom domain verification has been added to nginx.conf. If you manage nginx separately (not via Docker), add this block inside your server {} before the WebSocket proxy section:

location ~ ^/WW_verify_[A-Za-z0-9]+\.txt$ {
    proxy_pass http://backend:8000/api/wecom-verify$request_uri;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
}

Kubernetes (Helm)

helm upgrade clawith helm/clawith/ -f values.yaml

No migration job needed.

Upgrade Notes — Lessons Learned (from our production upgrade)

The following issues were encountered during the v1.8.1 → v1.8.2 production upgrade and may affect other deployers:

1. Server without npm: dist.zip may be stale in git

Problem: Our production server did not have Node.js/npm installed. The frontend/dist.zip tracked in git can fall behind when frontend changes are made and committed without a corresponding build (e.g., when the build was done on a separate dev server).

Symptoms: After git pull, the dist.zip in the repo may not include the latest frontend changes, causing new features to be invisible in the UI even though the backend is updated.

Solutions:

Option A (Recommended): Install Node.js on the deployment server via nvm (no root required):
```
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
source ~/.nvm/nvm.sh
nvm install 20
```
Then build on the server: cd frontend && npm install && npm run build

Option B: Build locally and upload via SCP:

# On local machine:
cd frontend && npm run build && cd dist && zip -r ../dist.zip .
scp frontend/dist.zip user@server:/path/to/Clawith/frontend/dist.zip

Note: In China-based server environments, downloading from raw.githubusercontent.com may be very slow. If so, use a proxy or mirror.

2. `anyascii` is a new required Python dependency

Problem: Starting from this release, anyascii>=0.3.2 is required. If upgrading without rebuilding the Docker image (e.g., using docker cp to update only the app directory), this dependency must be installed separately inside the container:

docker exec clawith-backend-1 pip install anyascii>=0.3.2

For standard docker compose up --build upgrades, this is handled automatically.

v1.8.1 Release Notes

Released: 2026-04-03

This is a stability and polish release built on top of v1.8.0-beta.3, covering security hardening,
Feishu reliability fixes, a redesigned tool-call visualization, new file-management tools, and
a first-class Kubernetes deployment option.

Highlights

Redesigned Tool-Call Visualization (AnalysisCard)

The live chat view now shows agent reasoning and tool calls in a unified AnalysisCard that
groups interleaved thinking and tool-call messages into one collapsible block. The card shows:

A pulse LED while the agent is running, turning green on completion
The currently-active tool name in collapsed state alongside tool-count badge
Individual <details> rows per tool for args and result (collapsed by default)
Italic thinking-content blocks inline for extended reasoning (deepthink) models

New File Management Tools

Three new built-in tools are available to all agents:

edit_file — targeted line-range edits without rewriting the entire file
search_files — substring or regex search across a workspace
find_files — glob-pattern file lookup
read_file now supports offset / limit for reading large files in pages

Kubernetes Deployment (Helm Chart)

A production-ready Helm chart is now included at helm/clawith/. Deploy Clawith on any
Kubernetes cluster in one command:

helm upgrade --install clawith helm/clawith/ -f values.yaml

Security Fixes

Cross-tenant data leak — org member and department search was returning results across
tenant boundaries. Now strictly scoped to the requesting tenant. (#security)
Platform admin token scope — platform_admin role was not pinned to tenant_id in the
JWT, allowing cross-tenant privilege escalation. Fixed.
Duplicate OrgMember shell — channel users could create duplicate OrgMember rows on
reconnect. A uniqueness guard has been added.

Feishu Integration Reliability

feishu_doc_append intermittent failures — Markdown --- dividers were converted to
block_type: 22 which the Feishu batch-children API rejects. They now render as a text
separator line (────────────────────────), always accepted.
index: -1 removed from the children API call — Feishu defaults to append-at-end when
index is omitted, avoiding 1770001 invalid param errors.
Stale websocket_chat import — feishu_doc_create was trying to import
channel_feishu_sender_open_id from a deleted module, generating a visible warning. Fixed.
Feishu streaming card stalls — ordered patch queue now correctly processes streaming
updates for Feishu cards without stalling.
Tool status stuck on "running" — Feishu-channel tool status now correctly transitions
from running → done after tool completion.
Added wiki:wiki permission to the recommended Full permission set in channel config.

Admin Chat UI

Read-only session viewer — Admins viewing other users' sessions see a clear "Read-only ·
username" badge at top-left (fixed overlay, never scrolls away).
Card border — the entire chat area is now enclosed in a 12px-radius bordered card for
visual clarity.
Optimistic relationship deletion — relationship rows fade out immediately on delete (no wait).

Cross-Domain Tenant Switch

The ?token= query param is now consumed on app bootstrap, so users switching between tenant
instances via a generated link land directly in the correct tenant without requiring a page reload.

i18n Improvements

All emoji removed from en.json and zh.json translation keys (project policy).
Hardcoded "Copy", "Upload", and several status strings now properly use t().
New i18n key agent.chat.analysing for the AnalysisCard header.
Credential-related UI strings in zh.json completed.

Upgrade Guide

No breaking changes. No database migrations required.

Option A — Docker Compose

cd <clawith-dir>
git pull origin main
docker compose down && docker compose up -d --build

Or the rolling update (no downtime):

git pull origin main

# Frontend
cd frontend && npm install && npm run build
cp public/logo.png dist/ && cp public/logo.svg dist/
cd dist && zip -r ../dist.zip . && cd ../..
docker cp frontend/dist.zip clawith-frontend-1:/usr/share/nginx/html/dist.zip
docker exec clawith-frontend-1 sh -c "cd /usr/share/nginx/html && unzip -o dist.zip"
docker compose restart frontend

# Backend
docker cp backend/app clawith-backend-1:/app/
docker exec clawith-backend-1 find /app -name "__pycache__" -exec rm -rf {} + 2>/dev/null
docker compose restart backend

Option B — Source Deployment

git pull origin main
cd frontend && npm install && npm run build
cd ..
# Restart backend process (e.g. supervisorctl restart clawith-backend)

Option C — Kubernetes (Helm)

helm upgrade clawith helm/clawith/ -f values.yaml

No Alembic migration is required for this release.

Full Changelog

See all commits since v1.8.0-beta.3:
v1.8.0-beta.3...v1.8.1

v1.8.0-beta.3

What's Changed

New Features

Split Code Executor into Local and E2B Cloud tools — The single "Code Executor" tool has been separated into two independent tools. The local tool shows CPU/memory/network config; the E2B Cloud tool only requires an API key. E2B errors are now surfaced explicitly instead of silently falling back to local execution.
MCP Server credential management — New "Edit Server" UI and PUT /tools/mcp-server API endpoint for bulk-updating MCP server URLs and API keys across all tools sharing the same server.
Feishu Wiki document creation — feishu_doc_create now supports creating documents directly inside Wiki knowledge bases, with automatic detection of Wiki node tokens.
Feishu permission JSON UI redesign — Two-tier segmented control (Basic / Full) with i18n support for Feishu app permission configuration.
Live Preview auto-sizing — AgentBay Live Preview panel now auto-sizes to 50% of the chat container width.

Bug Fixes

Plaintext SMTP relay support — STARTTLS is now auto-negotiated based on server ESMTP capabilities instead of being forced on port 25/587. AUTH is skipped for unauthenticated IP-whitelisted internal relays. Password is no longer a required field in email configuration.
Unified context window size — Introduced DEFAULT_CONTEXT_WINDOW_SIZE = 100 constant and unified all 9 communication channels (WebSocket, Feishu, Discord, WeCom, DingTalk, Teams, Slack) to use consistent fallback values.
LLM stream retry — Added httpx.RemoteProtocolError to the stream retry logic to handle upstream connection resets.
Tool config double-encryption — Fixed a bug where already-encrypted sensitive config fields were encrypted again on save.
Loguru format collision — Replaced logger.error(..., exc_info=True) with logger.exception(...) across all channel handlers to prevent crashes when error messages contain special characters.
WeCom message handler — Fixed NameError (agent vs agent_obj) and migrated user creation to channel_user_service to avoid AssociationProxy errors.
Duplicate tool definition — Removed send_channel_message from _ALWAYS_INCLUDE_CORE to prevent "Tool names must be unique" LLM errors.
AgentBay connection test — Fixed test image name (linux_latest) and api_key lookup in global tool config fallback.
FastAPI route ordering — Reordered /tools/mcp-server/bulk before /tools/{tool_id} to prevent 422 validation errors on older FastAPI versions.
Other fixes — LLM model temperature persistence, org_admin access to GitHub/ClawHub tokens, MCP tool import tenant scoping.

UI / i18n

Context Window Size terminology — Corrected misleading "Max Rounds" / "Context Rounds" labels to industry-standard "Context Window Size" with accurate descriptions.
MCP Server group header — Displays hostname instead of full URL for cleaner display.

Upgrade Notes

This is a drop-in upgrade from v1.8.0-beta.2. No breaking changes.

No database migrations required
No new dependencies
No environment variable changes
The new execute_code_e2b tool will be automatically created by the tool seeder on startup. It is not a default tool — agents will not have it unless explicitly added.
The existing execute_code tool's config schema will be auto-synced (the sandbox type dropdown is removed since it's now always "subprocess").

Docker Deployment

git pull origin main
docker compose down && docker compose up -d --build

Source Deployment

git pull origin main
# Backend
pip install -r backend/requirements.txt  # no changes expected, but safe to run
# Frontend (pre-built dist.zip is included)
cd frontend && unzip -o dist.zip -d dist/
# Restart services

Learn more about the new features at: https://github.com/dataelement/Clawith/releases/tag/v1.8.0-beta

🐛 Bug Fixes

SSO: Fixed 500 error (UnboundLocalError) when a new user scans to login via Feishu for the first time.
SSO: Fixed SSO polling endpoint failing to redirect due to a MissingGreenlet exception during async lazy loading.
SSO: Removed the brief No SSO providers UI flash during SSO callback processing.
App Context: Fixed cross-session state corruption during Take Control cookie export and injection.
App Context: Added a leading dot to cookie domains for better subdomain matching.
Take Control: Relaxed the required agent lock permission from manage to use.

📦 Configuration

Added PUBLIC_BASE_URL and PASSWORD_RESET_TOKEN_EXPIRE_MINUTES environment variable configurations to docker-compose.yml.

Releases: dataelement/Clawith